Installing IPCop as a Virtual Machine on Proxmox VE
How I virtualized my IPCop installation on Proxmox VE hypervisor. This how-to assumes you already have a running Proxmox VE host. If you want to try Proxmox VE click here. Other requirements are, there needs to be two physical network cards installed on the Proxmox host. Three if you intend to setup DMZ.
After downloading the latest IPCop installation iso. I have to upload the iso to my Proxmox host local storage.
From the Proxmox web panel click on local (proxmox-name-of-your-proxmox-host). Then click Content tab then Upload. Which brings up the upload window. Browse to location of the downloaded IPCop iso then click upload.
Creating a Linux Bridge
This is the part I miss using VMware ESX control panel assigning virtual switches and nic cards. Proxmox web interface has the ability to create Linux Bridges and OVS switches for virtual machines to use but the configuration I am going to use can’t be done through the Proxmox web interface. This has to be done through the command line.
Note: I found it easier to keep the other physical network cards unplugged except for one nic card which will be used by the Proxmox web control panel. As I created each virtual bridge it was only then I plugged in the associated nic card. This made it easier for me to identify as to which physical nic card to assign to each virtual bridge added.
The image below shows starting with one plugged in nic card.
I prefer to use vi when editing files so I had to install it first.
apt-get install vim
Connect to Proxmox host using SSH.
ssh -l root proxmox-server-ip
What the following bridge settings mean.
bridge_stp off # disable Spanning Tree Protocol
bridge_fd 0 # no forwarding delay
bridge_ports eth0 # which nic card to attach
Move to the network directory.
Edit the interface file.
Copy and paste below after any configuration already in there.
## this is for IPCop WAN nic auto vmbr1 iface vmbr1 inet manual bridge_ports eth1 bridge_stp off bridge_fd 0
Save and exit.
Each time a network bridge is created a reboot is needed to apply new settings.
After Proxmox reboots your network settings should look similar to mine. The IP address for vmbr0 and gateway settings have been erased for security reasons. vmbr1 settings for Port/Slaves, IP address, Subnet mask and Gateway are intentionally left blank. This is to make sure any network traffic coming through vmbr1/eth1 will pass through IPCop WAN virtual nic.
My IPCop topology created using this free online drawing tool.
Create IPCop virtual machine
From the top right corner of web interface click on Create VM. Name the Virtual Machine. Click next.
Choose the new Linux versions. Click next.
Using default storage called local. This will be where my virtual machine images will be stored. From drop down choose IPCop iso we uploaded earlier. Click next.
Hard disk settings. Bus/Device is set to use IDE. When I tried to use VirtIO, IPCop was unable to find the hard disk during installation. I picked raw format for speed. Click next.
For CPU type I am using KVM32. Why I went with kvm32 click here.
Allocate memory. Click next.
Add nic card for LAN (GREEN) use. I am using the Intel E1000 model to make it easier to identify which nic card to assign for GREEN use. Click next. Then click finish.
Now add the WAN (RED) nic. Click on IPCop vm then Hardware tab menu. Then for bridge use vmbr1 we created earlier. For nic card model use Realtec RTL8139. Click add.
This is what my hardware looks like. Mac addresses erased for security reasons.
Click on Start to start the IPCop VM from the right top menu. The status should show OK on the task panel below. Status will also show resource usage. To complete setup we will need to connect to VM using Console. Click on console. Which brings up the IPCop boot screen. Click inside the console window then click enter key on the key board.
Note: if console window only shows white blank screen just click reload.
Click ok to begin installation.
Choose keyboard setting.
Choose timezone and set correct time.
Accept hard drive to install on. When ask are you sure you want to continue choose Ok.
This will be a Hard Disk install.
We’re not restoring from backup click tab to skip.
Install done. Click enter.
Choose a name.
Enter domain name.
Choose static. Depends of course on how your WAN setup. Mine is a static IP.
Network Card Assignment
This is why I wanted to use two different nic models so I could easily identify which nic card to assign. I already know bridge vmbr0 is using eth0 on the Proxmox host. This is also where the Promox web interface is listening on.
The Realtek virtual network device will be assigned to WAN (RED). Choose select then RED. Tab to asssign.
Do the same for the Intel Card but this time assign it to GREEN for internal LAN use.
When all cards have been assigned tab to Done.
Assign Internal IP for GREEN interface.
Assign WAN IP for RED interface.
Assign DNS name servers to use and WAN gateway.
Skip enabling DHCP unless you need it activated for your LAN.
Create password for the next three screens for each IPCop user account.
Installation is finally done!
After IPCop reboots login on the console to test if you can ping an internal IP and WAN IP. Login as root.
You should be able to ping out to an external IP. I am pinging Google’s nameserver below.
I am also able to ping an internal IP.
I now have a functioning IPCop firewall. But what if I wanted to add another nic card so I can place some hosts in DMZ?
Adding an IPCop DMZ
Here is one of the reasons it is good to use a DMZ network. NY Times Article.
To make this work I had to add another physical network card on my Proxmox server. I then had to add another bridge for DMZ use.
Again we have to edit the file.
Adding this right below the vmbr1 we created earlier.
## this is for IPCop DMZ nic auto vmbr2 iface vmbr2 inet manual bridge_ports eth2 bridge_stp off bridge_fd 0
Save the file.
Reboot Proxmox host.
Checking the network configuration on our Proxmox host you will find a new bridge called vmbr2. With the associated physical nic eth2 showing it is active. We now could assign this to our virtual IPCop firewall.
Go ahead and shutdown the IPCop vm we will then add a virtual nic from the hardware tab menu. I am adding another model Intel E1000 for this virtual nic which will attached to the physical nic card eth2.
Go ahead and start the IPCop vm to setup our new virtual nic card. Logging as root on the console. Then type setup > enter.
Scroll down to Networking. Tab to select.
Scroll down to Drivers and card assignments. Tab to select.
There is the unassigned Intel card. Tab to select.
Scroll down to Orange. Orange in IPCop speak is the color assigned to DMZ zones. Blue as you guessed it is assigned for Wifi hot spots. Tab to assign.
All 3 virtual nics should be assigned. Tab to done.
Now we will need to add an IP for the Orange nic card. This IP will be used as a gateway for any computers or devices which are connected to the Orange switch or Hub.
Scroll down to Address settings. Tab to select.
Select which interface to configure. Tab to select.
Put in IP from any of the private class range. Tab ok. Then tab Go Back > Go Back. Then exit setup.
You should be able to ping the IP in the Orange zone.
Connecting to IPCop web interface
With our networking setup done time to connect to IPCop from the web browser. IPCop uses port 8443. Point your browser to your IPCop’s IP address (GREEN).
https://192.168.1.1:8443 (your browser will prompt you to accept an unsigned certificate. Go ahead and accept the IPCop certificate).
If you need to change IPCop default gui port to something else other than 8443, you could do so by doing it on the command line. The command below will change the port to 5445.
/usr/local/bin/setreservedports.pl --gui 5445
Login using the credentials you created earlier to manage IPCop this would be admin.
First thing I like to do after I login is to check for IPCop updates. From the System menu > updates. Here it shows I have three updates to apply by clicking on the green down arrow beside each update. Then click apply.
After applying all updates I want to check if there are any open ports open through IPCop going into my LAN. First I will change the gateway setting on my Mac to use the IP address of the GREEN zone which was 192.168.1.1.
Using this website I can scan my IPCop WAN IP in this example I was using IP 188.8.131.52. Below are my results if it were open a green indicator will show next to the port number.
Checking my IPCop firewall logs the DROP scan results show up.
Looking at my IPCop virtual machine’s status from Proxmox control panel. I can see very low resource usage I even reduced my original memory allocation of 2.5 GB to 1 GB.
There is also a nice real time view for CPU, Memory, Network and Disk IO usage. Available for each virtual machine.
This is the part I really like about the Proxmox hypervisor I am able to backup a running virtual machine without shutting down the vm. It will still be accessible while the backup snapshot is in progress. Yes this feature comes free with the Proxmox hypervisor unlike free versions of ESX. There was a time I had to use a commercial tool from Trilead to backup my virtual machines on free ESX. Not anymore!
When I did a backup to my nfs storage.
It took only 21 seconds to complete a backup of my IPCop vm.
Upon looking at the real space being used by my IPCop vm this tells me I could have allocated a smaller hard drive space when I created my virtual machine earlier. If I was using qcow2 I can resize the virtual disk from the web control panel. Why I decided to use the raw format? This was based on what I have read from Promox support forum if you want performance speed use the raw format.
I hope this will urge you to virtualize IPCop using the rock solid reliable Open Source bare metal hypervisor called Proxmox ve.
This concludes the tutorial Installing IPCop as a Virtual Machine on Proxmox VE.